Penetration Testing mailing list archives
Re: I want the PT list back....
From: "Andre Gironda" <andreg () gmail com>
Date: Sun, 16 Dec 2007 17:55:47 -0700
On Dec 10, 2007 10:51 PM, Joseph McCray <joe () learnsecurityonline com> wrote:
* NAC Solutions (tricky, but not as tough as Host-based IPS - MAC/IP spoofing still gets by of the stuff I've run into)
kevin.sf.net ; osvdb2.0 (usual answer for everything - check out its search capabilities - http://dev.osvdb.org/trac/projects/osvdb_rails/wiki/osvdb2goodness )
* Host-Based IPS Solutions (really tough to beat - at least for me)
slipfest.cr0.org ; immdbg - http://www.immunityinc.com/downloads/Debugging_With_ID.odp
* Wireless IPS Solutions (a joke)
host or network based? more people should be re-writing drivers so that they ignore deauthentication messages I'd be curious if these are any good (they're probably just zero-day waiting to happen) - hotspot defense kit - http://airsnarf.shmoo.com http://www.airtightnetworks.net/products/sg_safe/sg_safe_registration_form.asp In my opinion, if you aren't using at least WPA2-Personal (preferably with HostAP, which will let you specify different passphrases on a per-mac basis), then there is no point to WIDS/WIPS. Most organizations will likely want to run PEAP or even PEAP-EAP-TLS (very strong if done right!), but IMO these are over-complicated. Any non-NSA organization is better off running a WPA2-Personal infrastructure that allows different passphrases for different clients (such as HostAP), but making damn sure every SSID and passphrase are both complete to full-character set and pseudo-random. I suggest using the following: For SSID (this doesn't really matter as long as its a very unique value) $ cat /dev/urandom | tr -cd [:alnum:] | fold -w 32 | head -1 H0m6sDFXsXGUUr7aO9FToEm3WrBLHa0h For WPA2-PSK (this matters quite a lot) $ cat /dev/urandom | tr -cd [:xdigit:] | tr [:lower:] [:upper:] | fold -w 64 | head -1 7B47D2E19CD3317EADAAF0DFDAC3DECC88A42BA335C5BD93B32930FF6DEEFEAF although just in case that happens to be a dictionary word you might want to do this instead $ cat /dev/urandom | tr -cd [:graph:] | fold -w 63 | head -1 @]p|+~Rg2@L5HR;8\*S*:|m:Hax;QGT%.-;?~ZEPN}[dmYjQ)1P"=NV+!k}A.\Z I think in the case of using a string, it's hashed with the SSID and some other material in order to produce the hex value, which is the real PSK If you're really paranoid, you could setup WKnock and change your SSID often and simultaneously run FakeAP. I've always wanted to setup a few radios to make a better FakeAP that appeared more realistic... a WiFi honeynet so to speak
* 802.1x - I haven't seen it on an assessment yet.
PEAP clients often don't validate server certificates, leading to MITM. Wait for Josh Wright's new talk at Shmoocon - http://www.willhackforsushi.com/Home/Entries/2007/11/12_Lining_Up_2008_Talks!.html - to hear even more. Also see the Yersinia.net tool (send raw packets and MITM)
networks from the outside. Port scanning and VA tools are damn near useless from external.
Not if you hit port 80 or 443, or a web server running on a different port. Do you ever run into Cisco routers open for SNMP, BGP, and other things during assessments?
For me web app, to back end server, to the LAN is so rare it might as well be non-existent. Web app to DB - yeah...but not to internal LAN for me very much.
In the WASC project on honeyproxies, the data/stats are showing that Command Injection, Dynamic Execution, and File Inclusion are much more successful than common attacks such as XSS or SQLi. CORE IMPACT supports SQLi, File Inclusion, and Command Injection (but not XSS yet). Mail command injection appears to be very common e.g. andreg+pentest () gmail com%0aRCPT%20to:%20all () corp com Here's a cross-platform command injection available from WAHH - || ping -i 30 127.0.0.1 ; x || ping -n 30 127.0.0.1 & (if the app pauses for 30 seconds, you probably are on to something) Try the above with single pipes, semi-colons, ampersands, backticks, and LF's (%0a) The FOSS tool, w3af, supports much of the above easily - and is going to perform multi-stage attacks (integration with metasploit, using source to extend attacks, using RFI to stage a new attack automatically, etc). See - http://w3af.sourceforge.net/documentation/user/w3af-T2.pdf and check out the tutorials on this blog - http://pentesterconfessions.blogspot.com Remote file inclusion means that you'll need to host the PHP (or other dynamic script) somewhere. It's incredibly easy to find both runtime and with source - probably easier than finding URL redirection. I have a huge list of source code scanners for PHP on http://www.tssci-security.com/archives/2007/11/24/2007-security-testing-tools-in-review/ starting with "Inspekt, Pixy, RATS, SWAAT, PHP-SAT, PHPSecAudit, PSA3, and FIS (File Inclusion Scanner, with the extended tool, WebSpidah)".
Spear phishing with or without client-side exploits is it for me for external to internal. <-- How about you guys?
ClientVA.org (mentions Mr. T and Metagoofil) Secunia PSI Aruba (Josh Wright) WiFiDEnum Snort/Sourcefire OfficeCat GNUCITIZEN.org Spear phishing tests are great because you ask the security team if you can own them by sending them links to click on. They should just assume that anyone in the company will click any link you send - so don't bother with "zero-knowledge"... just let the security pro's use their builds. This will also let them play with live exploits, so they can honeypot trap with Argos - http://www.few.vu.nl/argos/ - or perform mock incident response.
Internal networks are still a mess, riddled with old vulnerabilities - even when the customer has patch management solutions. I can't be as noisy trying to find them like the good old days - but they are still there - the bigger the company the more legacy crap they have.
Sounds like a job for XSS tunneling
Rarely I find a Linux box on the client's network that I can use to set up shop these days so I've had to develop a collection of command-line windows tools. Anybody else in this boat? If so what's in your toolkit? I started with meta.cab from Phoenix 2600 and have been customizing it.
Oh I hang out with those guys. We're trying to re-vitalize Phoenix 2600 because the meetings have died down a lot. Are lots of people using this?
For wireless I pretty much just use Kisment/Aircrack-NG, but I'm really interested in wicrawl. Anyone using it on pentests yet?
Up until this past DefCon release of wicrawl, it was really poor from what I hear from WiFi auditors and assesors. I haven't had time to play with it in the last 5 months, but I do recommend that people try it. I assume that Kismet, wicrawl, aircrack-ng, and aircrack-ptw are all on the Backtrack 3 CD/USB ISO's. Certainly these are the best tools to use, but there is a lot more out there. My laptop I used to type this is sitting on top of Hacking Exposed Wireless; great book Be sure to check out this video, too - http://www.youtube.com/watch?v=bGiWOogdJho For WiFi, it's more about hardware - and that's why I think investing in Nokia N800/N810 gear, Soekris boards running Pyramid Linux, and CM9 cards - http://www.netgate.com/product_info.php?cPath=26_34&products_id=126 are a really good idea. Both make ideal platforms to run WiFiZoo and KARMA, in addition to all the tools already mentioned. WiFiZoo on the iPhone would also be nice, if it's even possible
Inguma looks interesting, I run into Oracle on tests a lot. Is anyone using it - if so what do you think?
Also http://www.imperva.com/scuba/ and http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470080221,descCd-DOWNLOAD.html
Some attacks that look really interesting - but I don't know of anyone doing them in assessments? Can someone shed some light? * Remote SQL/PHP Shell Injection
See above
I look forward to hearing from you guys....let me know what you are running into.
http://www.tssci-security.com/archives/2007/12/02/why-pen-testing-doesnt-matter/ Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- I want the PT list back.... Joseph McCray (Dec 12)
- Re: I want the PT list back.... Pete Herzog (Dec 13)
- Re: I want the PT list back.... Peter Wood (Dec 13)
- Re: I want the PT list back.... Didi (Dec 17)
- RE: I want the PT list back.... Shenk, Jerry A (Dec 13)
- RE: I want the PT list back.... Ken . Carty (Dec 13)
- Re: I want the PT list back.... Petr . Kazil (Dec 13)
- RE: I want the PT list back.... Erin Carroll (Dec 13)
- Re: I want the PT list back.... Andre Gironda (Dec 17)
- <Possible follow-ups>
- Re: I want the PT list back.... krymson (Dec 13)
- RE: I want the PT list back.... Bob Radvanovsky (Dec 14)